Geek Squad

A 22-year-old programmer stops a global cyber attack by purchasing an unregistered domain name for $10.69.

May 19, 2017

Defeating Ransomware: Geek Squad

We just got a glimpse of the near future and it’s not pretty.

It was only a matter of time before a malicious cyber attack wreaked havoc across the world. The fiends who released a particularly destructive piece of malware and infected more than 200,000 computers and systems in 150 countries last week must have been fans of Batman’s nemesis, the Joker. They called their virus WannaCry.

WannaCry was classified as ransomware by the international IT police. Never heard of ransomware? When the unsuspecting victims activated WannaCry by clicking on a phishing email message, all of the data on their hard drives was locked up and they were instructed to make a 300-bitcoin payment to re-access it. [Bitcoin is the anonymous web currency that international monetary authorities initially tried to ban; it’s now equivalent to about $1,800, which is $600 more than the current value of an ounce of gold.] The ransom notes were written in 20 different languages.

WannaCry infected a wide swath of systems around the world, mainly in Europe and Russia. In Great Britain, the computer systems of the National Health Service were crippled and several large hospitals shut down, turning away patients trying to get into their emergency rooms. Rail traffic was disrupted in several countries, and work at several automotive assembly plants was halted. Russia’s Ministry of the Interior also was a target, which must have irritated the cybercriminal who runs the country.

The way this attack apparently started and the way it appears to have been ended should give all of us pause.

We’ll start with the latter. WannaCry was stopped in its tracks (at least temporarily) by a 22-year-old researcher in the U.K. who goes by the moniker MalwareTech. MalwareTech, who thus far has declined to identify himself, was examining the WannaCry code when he came across an unregistered domain name. He purchased the domain name for $10.69 and sent it to a “sinkhole” (the web’s version of purgatory), which deactivated it.

It turns out the unregistered domain name was a “kill switch” embedded in the WannaCry code. When the domain name was deactivated, the WannaCry outbreak appears to have halted. Call it a Hail Mary in cyberspace, a lucky break. [Authorities are warning that the attackers may upgrade their code and try to re-launch the virus.]

Much more ominous is the way WannaCry started. The ransomware was crafted to exploit a vulnerability in the Windows operating system. [The criminals who create malware almost always look for a coding crack in widely used operating systems and apps, so they can exponentially maximize the number of infected computers.] Here’s where it gets really hairy: the Windows vulnerability appears to have been stolen from a menu of major coding flaws kept in the highly encrypted servers of the National Security Agency’s special cyber warfare unit. The NSA has so many of these hacking tools, they give each one a cool cybername, like “DoublePulsar” and “EternalBlue.”

Last August, a nefarious group calling itself Shadow Brokers announced it was auctioning off highly classified NSA hacking tools. A couple of weeks after this announcement, a long-time U.S. intelligence contractor and an unidentified accomplice were charged with walking out of the NSA and related agencies with 50 terabytes of confidential data. They are suspected of providing the NSA tools to Shadow Brokers.

In April of this year, Shadow Brokers dumped dozens of NSA hacking tools on the web (complaining that there was a tepid response to their online auction). One of these tools was used to create WannaCry. [Microsoft created a software upgrade last month to patch the vulnerability used to create WannaCry, but Windows users apparently were not alerted to the urgency of installing it.]

On Tuesday, after WannaCry had inflicted its damage, a post attributed to Shadow Brokers announced that it was starting a “hack-of-the-month club.” Intelligence experts are warning that WannaCry was not a one-off: they expect other stolen NSA tools to be weaponized and used for anonymous cyber attacks.

Did we mention that the prime suspect in the WannaCry attack is North Korea? Yeah, that North Korea, the totalitarian state led by a nutcase who cuts his hair with a lawnmower and executes the barber if he thinks it’s not perfect. Hydrogen bombs are very expensive, especially if you don’t have enough electricity to power a third of your country.

Here’s the sad part:

As usual, the United States is way ahead of the pack in developing new weapons systems. That’s no surprise. What’s unsettling is that we have a Groundhog Day myopia when it comes to remembering that we’ve seen this movie before and we know how it ends. The bad guys inevitably get the same weapons and we become just as defenseless as they initially were.

The U.S. rapidly is developing an arsenal of offensive cyberwar tools. We’ve already deployed a few (the Stuxnet virus that temporarily crippled the Iranian nuclear program was one), setting off an international arms race in cyberspace. [After it was used to infect Iran’s centrifuges, the code for Stuxnet reportedly was acquired by Iran and several other countries; a limited attack on Bank of America’s ATM system was believed by security analysts to be a “warning shot” from Iran that they could do the same thing to us that we had done to them.]

As the most-connected nation on Earth—with our military command and electric power grid both fully integrated electronically—the U.S. is more vulnerable to cyber attacks than any other country. When it comes to U.S. cyber defense, think DOS 2.0. [Yes, we’re all hoping that soon will change as major cybersecurity hubs in Utah and Louisiana, among other locations, get fully up to speed.]

Cyber weapons are like chemical weapons in this respect: it’s very hard to use them effectively in combat without killing yourself. When you create them (and especially when you use them), the code inevitably gets out there, ready to come back and attack you.

That loud bell you’re hearing is not the alarm clock in Groundhog Day, but it might as well be. It’s a warning that cyber attacks soon may be as frequent as, well, the scenario played out in Groundhog Day, thanks to a top-secret agency tasked with keeping us safe.

Companies located in South Carolina’s Business Corner enjoy quick, easy access to both domestic and international markets, a plentiful and qualified workforce and it’s in a place where the cost of living and doing business are well below the national average. Learn more at www.nesasc.org.

For facility management and other stakeholders, National Fire Protection Association releases first comprehensive collection of criteria for the fire protection of energy storage system installations. - Read: Energy Storage System Standard NFPA 855 Released at FacilityExecutive.com.

Location Spotlights

Join 20,000+ Subscribers & Get the latest from Business Facilities!

Business Facilities highlights area economic development and site selection news from around the world. Economic development creates opportunities to grow state, local and metro areas, which are essential for economic growth, improved quality of life and community development.

Business Facilities is a leading full-service media brand specializing in the site selection marketplace. Through a bi-monthly magazine, e-mail newsletters, a news portal, and its LiveXchange event, Business Facilities has created a dynamic community for C-level executives and economic development organizations.